openldap-technical April 2015

openldap-technical@openldap.org

63 participants
83 discussions

olcHidden breaks slapcat? possible bug in slapcat(8)?
by Igor Shmukler 17 Apr '15

17 Apr '15

Hello, I use olcHidden and set it to true in some instances. This seems to work, yet it breaks slapcat(8) as below: $ sudo slapcat -n 0 5530b282 olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix 5530b282 config error processing olcDatabase={2}hdb,cn=config: <olcRootPW> can only be set when rootdn is under suffix slapcat: bad configuration file! Is this a bug, or the desired behavior? Sincerely, Igor Shmukler

2 1

catch size and performance
by Greg Jetter 17 Apr '15

17 Apr '15

Hello: I, running a openldap setup with one provider and 3 consumers , I am seeing intermittent problems of replication not happening "Until" the consumers are re started . This cures the problem. replication starts up and continues for a while . The servers have very large amount of memory , 256 gigs .. I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch , could this be causing the replication problem ? whats the optional size that keeps openldap happy ? thanks Greg

2 1

Fwd: 2.4.40 memory leak?
by Sergey Esin 17 Apr '15

17 Apr '15

Hi all, We're running OpenLDAP 2.4.40 (the latest available release) with just one replica server (connected via TLS) and have the following picture - http://i.imgur.com/om0lMiy.png On the graph you can see memory consumption of the slapd process on the host: in the beginngin it started without replica, then replica server was connected (memory consumption became around 4 Gigs) and then OOM (out-of-memory) killer on linux machine just killed the process. There are ~400 000 users in our ldap database. OpenLDAP was compiled from sources using "./configure --prefix=/ldap2440 --with-tls --enable-slapd". Are there any ways to understand what's is going wrong and how to fix it? This server is really important for us, please share any ideas how to make it stable! My DB_CONFIG is like below: set_flags DB_LOG_AUTOREMOVE set_cachesize 0 524288000 5 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097512 set_lk_max_locks 23000 set_lk_max_lockers 2300 set_lk_max_objects 2300 -- Regards, Sergey

2 4

Re: olcHidden breaks slapcat? possible bug in slapcat(8)?
by Igor Shmukler 17 Apr '15

17 Apr '15

Hello Ulrich, Not to me, it does not answer the question. How do I connect olcHIdden set to TRUE throwing an error, and FALSE does not? Would you mind making the connection for me, please. Sincerely, Igor Shmukler On Fri, Apr 17, 2015 at 9:38 AM, Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>>> Igor Shmukler <igor.shmukler(a)gmail.com> schrieb am 17.04.2015 um 09:16 in > Nachricht > <CAA1SNA3DMtE+1ZnzCu_NxeX164ZK3aZ-G7o0q-Dx8KXc5QBxDA(a)mail.gmail.com>: >> Hello, >> >> I use olcHidden and set it to true in some instances. >> This seems to work, yet it breaks slapcat(8) as below: >> $ sudo slapcat -n 0 >> 5530b282 olcRootPW: value #0: <olcRootPW> can only be set when rootdn >> is under suffix >> 5530b282 config error processing olcDatabase={2}hdb,cn=config: >> <olcRootPW> can only be set when rootdn is under suffix >> slapcat: bad configuration file! > > In a message Igor sent to be before, it showed that he has a oldRootPW set, but no olcRootDN. > I guess it answered the question, right? > >> >> Is this a bug, or the desired behavior? >> >> Sincerely, >> >> Igor Shmukler > > > >

1 0

Re: Re: Can domain admins be filtered out with ACLs?
by Igor Shmukler 16 Apr '15

16 Apr '15

Hello Ulrich, I do not doubt that you are right, yet what to understand. Why would be rootdn necessary to fix ACLs when we have the config database without RootDN and therefore that one is cannot be messed up by applying a filter to the RootDN? Not that I doubt wisdom of the design decisions. For my goal, I am going to use olcHidden to achieve what I need instead. If I cannot properly suspend a DIT, I get close to desired results by hiding the database. Sincerely, Igor Shmukler On Fri, Apr 17, 2015 at 8:15 AM, Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 16.04.2015 um 20:38 in > Nachricht <C40A1A2544EECEE4E75EA494(a)[192.168.1.9]>: > [...] >>>From the slapd.access(5) man page: >> >> Be warned: the rootdn can always read and write EVERYTHING! > > ...and that is very helpful if you messed up your ACLs... > > [...] > > Regards, > Ulrich > >

1 0

Can domain admins be filtered out with ACLs?
by Igor Shmukler 16 Apr '15

16 Apr '15

Hello, I tried to filter out everyone except cn=config when my ACL filter rule is true (a NAME type attribute matches a value), so that password authentication for filtered-out users would fail. It works for regular users, and does not for admins. Is this because my ACL rules are wrong, or is this a feature of OpenLDAP? Why no matter what I do My LDIF is below: dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(!(serviceLevel=suspended)) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {4}to * filter=(!(serviceLevel=suspended)) by self write by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * read Is there something special about LDAP administrator, by design? Thank you, Igor Shmukler

2 2

Re: integrate Openldap and Windows Active Directory server 2003
by Clément OUDOT 15 Apr '15

15 Apr '15

2015-04-15 17:48 GMT+02:00 Kaushal Shriyan <kaushalshriyan(a)gmail.com>: > Hi Clement, > > LSC, We proposed a synchronisation mechanism but was rejected since gives a > lot of privileges to the OpenLDAP to change customer data in AD. the > customer don't want it. Is there a way to get over with this specific use > case? > You just need a read-only AD account if you need to sync from AD to OpenLDAP. Clément.

1 0

integrate Openldap and Windows Active Directory server 2003
by Kaushal Shriyan 15 Apr '15

15 Apr '15

Hi, Is there a way to integrate Openldap and Windows Active Directory server 2003 and sync all the Windows AD users in Openldap? Regards, Kaushal

2 1

multiples syncrepl from same host and DB
by julien soula 15 Apr '15

15 Apr '15

hello, I wanted to synchronize 2 branches of a master DB (slapd-2.4.38). So I created 2 olcSyncrepl on the slave : olcSyncrepl: {0}rid=201 provider=ldap://master searchbase="cn=branch1,suffixDB" scope=sub olcSyncrepl: {1}rid=202 provider=ldap://master searchbase="cn=branch2,suffixDB" scope=sub Unfortunatly, it doesn't work. A change on branch2 on the master produces often a "CSN too old" on the slave. After investigating, it seems that the pb comes from the fact there is one contextCSN by DB. So if the sync task on branch1 is the first to process, it updates the contextCSN and therefore the sync task on branch2 thinks that change is not newer. Am I right ? So is there a proper way to achieve what I want ? Thank for any hints, -- Julien << Vous n'avez rien a dire... Parlons-en! >>

3 3

Re: Antw: multiples syncrepl from same host and DB
by julien soula 15 Apr '15

15 Apr '15

On Wed, Apr 15, 2015 at 02:40:37PM +0200, Ulrich Windl wrote: > >>> julien soula <jsoula(a)univ-lille2.fr> schrieb am 15.04.2015 um 13:29 in > Nachricht <20150415112905.GB3225(a)nickel.univ-lille2.fr>: > > hello, > > > > I wanted to synchronize 2 branches of a master DB (slapd-2.4.38). So I > > created 2 olcSyncrepl on the slave : > > > > olcSyncrepl: {0}rid=201 provider=ldap://master > > searchbase="cn=branch1,suffixDB" scope=sub > > olcSyncrepl: {1}rid=202 provider=ldap://master > > searchbase="cn=branch2,suffixDB" scope=sub > > > > Unfortunatly, it doesn't work. A change on branch2 on the master > > produces often a "CSN too old" on the slave. > > > > After investigating, it seems that the pb comes from the fact there is > > one contextCSN by DB. So if the sync task on branch1 is the first to > > process, it updates the contextCSN and therefore the sync task on > > branch2 thinks that change is not newer. Am I right ? > > If the message you are talking about is like this: > slapd[3965]: do_syncrep2: rid=001 CSN too old, ignoring 20150409131449.846699Z#000000#001#000000 (olcDatabase={1}hdb,cn=config) yes > _and_ the CSN received is the CSN sent,... yes > ... then just ignore the message. That is the same server said before: > slapd[3965]: slap_queue_csn: queing 0x7f5f30afcf20 20150409131449.846699Z#000000#001#000000 > > > > > So is there a proper way to achieve what I want ? > > Did you check the databases before and after sync? Are there differences, or are you just worried about the messages? In fact, I first noticed the no-change of the slave then I took a look to the log and saw this message (the only suspect I saw). Is this config supposed to work ? sincerly, -- Julien << Vous n'avez rien a dire... Parlons-en! >>

1 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2015